Here we have a format string vulnerability at the printf call. We also have a buffer overflow at strcpy call which can overwrite all the local variables and even the return address of the function. Notice that a function pointer is stored in v3 and gets called after our buffer overflow which means we can change its value as well. However, it compares the 4 bytes above pointed address with 0x4EC8310 before calling it. It has a similar but slightly different check for the return address either. Therefore, we cannot jump/call wherever we like. v3 is just 20 bytes away from s1.

It calls sub_8048695 which is the subroutine that calls system, but it requires dword_804A02C to be equal to 1. No worries, we have a format string exploit that can simply write 1 to 0x804A02C.

Also, command is a global char pointer which is stored at 0x0804A030.

1

.bss:0804A030; char *command

We need to write “/bin/sh” string’s address into this pointer, but we don’t have a “/bin/sh” string in the binary. Still, we have nothing to afraid, our format string exploit can write it into somewhere in bss section if we can simply find an 8 bytes of available space. Let’s take a look at the bss section.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

.bss:0804A020; Segment type: Uninitialized

.bss:0804A020; Segment permissions: Read/Write

.bss:0804A020; Segment alignment '32byte' can not be represented in assembly